Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dealhelper!


  • This topic is locked This topic is locked
26 replies to this topic

#1 tman

tman

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 09 May 2004 - 10:35 PM

Hello ! I have recently noticed dealhelper on my comp. I have already managed to get rid of time sycronize which didn't really give me any trouble, but this dealhelper is impossible. Since I have noticed this i CANNOT USE SYSTEM RESTORE, IT WON'T LET ME PICK ANY LATER DAYS THEN THE CURRENT ONE AND ALSO ALL MY SEARCH ENGINES SUCH AS YAHOO AND GOGGLE ARE ACTING WEIRD. nOW i HAVE DOWNLOADEWD AND SUCCESFULLY USED aD-AWARE, SPYBOT, SPY SWEEPER AND HAVE JUST USED HIJACKTHIS ALL HELPED ME RID A HUGE AMOUNT OF SPYWARE BUT NONE OF THEM HAVE GOTTEN DEALHELPER, wITH HIJACKTHIS I JUST SELECTED ANYTHING THAT SAID DEALHELPER BEING I REALLY DON'T HAVE MUCH KNOWLEDGE AT WHAT I'M LOOKING AT BUT YET EVERYTIME i GO TO DELETE IT, IT SAYS INSTALATION LOG FILE NOT FOUND... ANY HELP PLEASE ON DEALHELPER AND ALSO HOW TO GET MY SYSTEM RESTORE BACK THANKS!!!!!

BC AdBot (Login to Remove)

 


#2 ZeYusAngelBee

ZeYusAngelBee

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Location:Fresno, California
  • Local time:02:21 AM

Posted 10 May 2004 - 12:21 AM

Hello:

I belong to 2 other forums besides BC, Lavasoft and SWI.

Recently, I stumbled across a post about this very topic.

This was the suggested removal of this DealHelper:

If you wish to remove DealHelper from your computer you must first uninstall TimeSynchronize from the control panel, and then after that you will be able to uninstall DealHelper. The problem was that TimeSynchronize never appeared in the Control Panel to remove.

So, in this case, I would suggest that you visit TimeSynchronize.com and do a full reinstall and then uninstall from the Control Panel. I did this, and it worked great. Or you may remove DealHelper manually:

1. Stop all instances of IE or AOL.
2. Kill processes (from task manager) dhsrv and dhbrwsr.
3. Insure TimeSynchornize.exe is deleted
4. go to windows directory.
5. Execute: regsvr32.exe /u dealhlpr.dll
6. delete file dealhlpr.dll
7. Execute: regsvr32.exe /u dhp.dll
8. delete file dhp.dll
9. execute dhbrwser.exe ­UnregServer
10. delete dhbrwser.exe
11. execute dhsvr.exe ­UnregServer
12. delete dhsvr.exe
12. delete DHun.exe

Hope this helps!

The forum I copied this from's addy: http://www.lavasoftsupport.com/index.php?s...2&hl=dealhelper

You may have to join the forum to view the post. If you do join, you can post your trouble there as well and double exposure can't hurt, right?

Edited by ZeYusAngelBee, 10 May 2004 - 12:24 AM.

~~ZeYusAngelBee~~

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 AM

Posted 10 May 2004 - 01:22 AM

Hi tman,
It would help if we could see a HijackThis log.

After you scan with HijackThis, the "Scan" button becomes a "Save log" button. Click that & save the log somewhere such as My Documents. Then open the log file, click Edit>Select All, then Edit again>Copy. Come back to this Topic, click "Add Reply", right click in the white field & choose Paste.

We'll have a look & see what we can do.

The thing about people

is they change

when they walk away.--Mipso


#4 tman

tman
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 10 May 2004 - 08:14 AM

hey zeyus thanks alot but unfortunately like i said in my post i had no problem deleting time synchronize in fact it was on my add and remove list in the control panel.
papakid as soon as i am done writing this i will go scan with hijackthis and let you guys see it thanks!!!!

#5 tman

tman
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 10 May 2004 - 08:16 AM

Ok guys here it is I hope this what you guys want, hope it helps!! Thank you!!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Student\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-1.net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxysrv:8080
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.search-1.net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.search-1.net/search.html
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O1 - Hosts: 209.66.114.130 sitefinder.verisign.com
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - C:\WINDOWS\System32\msibkd.dll
O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\WINDOWS\PopUpWasher21.dll
O2 - BHO: (no name) - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll (file missing)
O2 - BHO: (no name) - {63CF97E8-4133-438a-A831-CC9C6D47D673} - (no file)
O2 - BHO: (no name) - {7371F073-AC0F-4b80-BB2F-96A488CEFB32} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [PopUpWasher] C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083725975268
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 AM

Posted 10 May 2004 - 08:11 PM

OK, tman, let's get this ball rolling. I have a few things for you to do before fixing with HijackThis.

First, you need to move HijackThis into its own permanent folder. This is important.
Please follow THESE INSTRUCTIONS.

Now run CWShredder.
Direct Download of CWShredder

After you download the program, unzip it into a directory (folder). Double click on CWShredder.exe then click on the "Check for Update" button, and if it finds a new version it will download it. Now close it & boot into Safe Mode to run it.

Please view this tutorial for details: How to remove CoolWebSearch with CoolWeb Shredder

Then run HijackThis again and post another log. Be sure to use the "Select All" method I mentioned in my earlier post. Your log is missing the system specs at the top & possibly some entries at the bottom. If you don't see the specs (that tell what Operating System you're running, among other things) in the log you save after scanning, let me know.

Also, before scanning with HijackThis again, please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

The thing about people

is they change

when they walk away.--Mipso


#7 tman

tman
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 10 May 2004 - 09:32 PM

Hello again thanks for the help I hope this helps a little better!!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\System32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxysrv:8080
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - C:\WINDOWS\System32\msibkd.dll
O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\WINDOWS\PopUpWasher21.dll
O2 - BHO: (no name) - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll (file missing)
O2 - BHO: (no name) - {63CF97E8-4133-438a-A831-CC9C6D47D673} - (no file)
O2 - BHO: (no name) - {7371F073-AC0F-4b80-BB2F-96A488CEFB32} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [PopUpWasher] C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083725975268
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

#8 tman

tman
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 10 May 2004 - 09:51 PM

Hey Papakid I'm not sure if this log looks much different but anyhow I went and did every step you told me to perform I hope it has what you are looking for. If not please continue the help Thank you again!!

#9 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 AM

Posted 10 May 2004 - 10:16 PM

tman,
So you're saying that you don't have a section at the top of your log that looks like this:

Logfile of HijackThis v1.97.7
Scan saved at 10:46:50 AM, on 10/8/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Please confirm. If it's not there it's not there. Just tell me which operating system (XP, 2000, etc.) you're running and which version of Internet Explorer. With IE open click Help>About Internet Explorer. If it's something less than 6.0 with SP1, let me know. I also need to confirm if it's the latest version of HijackThis. Look at the title bar and tell me if it's 1.97.7 or not.

Any improvement after running CWShredder?

The thing about people

is they change

when they walk away.--Mipso


#10 tman

tman
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 10 May 2004 - 10:38 PM

Oh I'm sorry, ok yes I do have that i just wasn't coping that i didn't know you needed that, well here it is ...and also yes i believe i had a succesful shredder running but yet i cannot delete dealhelper.

Logfile of HijackThis v1.97.7
Scan saved at 11:35:57 PM, on 5/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\System32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxysrv:8080
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - C:\WINDOWS\System32\msibkd.dll
O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\WINDOWS\PopUpWasher21.dll
O2 - BHO: (no name) - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll (file missing)
O2 - BHO: (no name) - {63CF97E8-4133-438a-A831-CC9C6D47D673} - (no file)
O2 - BHO: (no name) - {7371F073-AC0F-4b80-BB2F-96A488CEFB32} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [PopUpWasher] C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083725975268
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 AM

Posted 11 May 2004 - 02:12 PM

Alright, tman, we're going to take this in stages. The first stage is to get your system cleaned up so we can concentrate on Dealhelper & System Restore later. You have at least one virus/trojan & some other malware. The virus is probably what caused the problem with System Restore in the first place.

Follow these instructions exactly and don't skip any steps.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Scan again with HijackThis. Close all other windows, put a checkmark by these entries, double-checking to be sure that only these entries are checked & then click the "Fix checked" button.

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - (no file)
O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - C:\WINDOWS\System32\msibkd.dll
O2 - BHO: (no name) - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll (file missing)
O2 - BHO: (no name) - {63CF97E8-4133-438a-A831-CC9C6D47D673} - (no file)
O2 - BHO: (no name) - {7371F073-AC0F-4b80-BB2F-96A488CEFB32} - (no file)

Reboot your computer into Safe Mode and delete the following files if they exist:

C:\WINDOWS\System32\System32.exe <--This is the virus/trojan.
C:\Program Files\zSearch\zSearch.dll <--just delete the entire zSearch folder.

While in safe mode, run Disk Cleanup. Have it clean up everything but for sure delete Temporary Internet Files and all Temp files.

Reboot into normal mode.

Now turn off System Restore & then turn it back on again if it will let you. Instructions can be found here:

Windows XP System Restore Guide

Rescan with HijackThis and post another log.

Then go to Windows Update and download & install at least SP1. You should consider ordering the Windows Security Update CD. It will install all the other patches & includes a one year free trial of EZ Armor, an antivirus & firewall package. The AV is not very good, but it is better than nothing. May prevent you from downloading those removal tools. It will cost you around $10 US for shipping. See my post on the subject in this thread:
http://www.bleepingcomputer.com/forums/ind...p?showtopic=292

The thing about people

is they change

when they walk away.--Mipso


#12 tman

tman
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 11 May 2004 - 10:32 PM

Thanks again Papakid well I dide very single step you said succesfully. Zsearch didn't exist and I deleted system32.exe but when i booted it back to normal a thing came up saying how it couldn't find system32.exe and so on so furth but thats probably not a big deal well heres the new log Thanks again!!

Logfile of HijackThis v1.97.7
Scan saved at 11:26:14 PM, on 5/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\windows\system32\mousedrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxysrv:8080
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
F1 - win.ini: run=c:\windows\system32\mousedrv.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\System32\msdaim.dll
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mskpkc.dll
O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\WINDOWS\PopUpWasher21.dll
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\msedah.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Mousedrv] c:\windows\system32\mousedrv.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [PopUpWasher] C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe
O4 - HKCU\..\Run: [Mousedrv] c:\windows\system32\mousedrv.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083725975268
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

#13 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 AM

Posted 12 May 2004 - 01:17 AM

Well, tman, you're still infected. Not running an anti-virus or firewall there's no telling what all has come in thru the back door. I hope you don't have any credit card or other vital information lying around on your PC. You need to get cleaned up and install an antivirus now!

Here's what I suggest.

1. Downolad one of these two free anti virus solutions. AVG is light on resources, is updated regularly but offers no support. Avast may be easier to use, is set up to scan email on installation & offer automatic updates that check for a connection which even some high dollar AV's don't do.

AVG
avast! 4

Download ONE of these but don't install it.

2. Download a firewall. If you are on DSL or cable, this is essential. See our tutorial Understanding and Using Firewalls. It contains links to free firewalls. Another good one not mentioned is Sygate. Download ONE of these but don't install it.

3. Download SYSCLEAN.COM from Trend Micro: SysClean Direct download
Create a folder and copy SYSCLEAN.COM into this folder. Download the latest pattern file. CLICK HERE. to go to the pattern file page. As of this writing, the latest file is lpt889.zip. Unzip the downloaded ZIP pattern file into the created folder <<--this step is essential. Just make sure that the unzipped pattern file and SysClean.com are in the same folder.

4. DISCONNECT from the net. If you're on DSL or cable, physically unhook.

5. Run SysClean according to these instructions. Any infected files that can't be cleaned should be deleted.

6. Install your downloaded firewall.

7. Install your downloaded antivirus.

8. Now you can get back online. Update your antivirus and run a full system scan.

9. Run AdAware & Spybot S&D again.

10. Post another HijackThis log. And let me know what all was found on your machine.

11. While you're waiting for a reply, go to Windows Update and have SP1 installed.

Just some suggestions.

The thing about people

is they change

when they walk away.--Mipso


#14 tman

tman
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 12 May 2004 - 02:59 PM

OK Papakid I did everything ...now for the firewall I just enabled the one thats on XP is that good enough??? The virus scanner AVG found "Trojan horse Downloader.crypter.E in C:\windows\system32\mousedrv.exe but when i go to move it in the vault or delete it should i say it says it cannot be removed?? please hang in there with me you've done a lot for me so far just need to get this removed before we go further Ok heres a new log!


Logfile of HijackThis v1.97.7
Scan saved at 3:53:24 PM, on 5/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SYSTEM32\mousedrv.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxysrv:8080
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
F1 - win.ini: run=c:\windows\system32\mousedrv.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A3A071E-F913-4eee-AE15-AEFFA16FB6BC} - C:\WINDOWS\PopUpWasher21.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Mousedrv] c:\windows\system32\mousedrv.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [PopUpWasher] C:\Program Files\Webroot\PopUpWasher\PopUpWasher.exe
O4 - HKCU\..\Run: [Mousedrv] c:\windows\system32\mousedrv.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083725975268
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

#15 tman

tman
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 12 May 2004 - 03:59 PM

One other thing papakid, I just tried to install the windows service pack 1 and in the process of it installing which was taking a very long time I recivied an error message saying that the product key used to install windows is invalid. Ok just wanted to let you know Thanks!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users